Threat Description

NetSky.S

Details

Aliases:NetSky.S, W32/NetSky.S@mm, I-Worm.Netsky.t, Netsky.t
Category:Malware
Type:Email-Worm
Platform:W32

Summary



NetSky.S worm was discovered on April 4th, 2004. This variant has a limited set of features comparing to previous ones. It does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 6789.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm's file is a PE executable 18432 bytes long packed with PE-Patch and UPX file compressors. Some of the worm's text strings are encrypted.

Installation to system

Upon execution NetSky.S copies itself as EastAV.exe file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "EasyAV" = "%WinDir%\EasyAV.exe"

where %WinDir% represents Windows folder name.

Additionally the worm drops the uinmzertinmds.opm file in Windows folder. This file contains the MIME-encoded copy of the worm's executable that will be sent in e-mails.

The worm always has 2 of its processes in Windows memory. If one process gets killed, the remaining one restarts it. The worm also protects its file and startup key in the Registry from being deleted. All the above makes manual disinfection a challenging task.

Spreading in e-mail

Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:

.eml
 .txt
 .php
 .cfg
 .mbx
 .mdx
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .pl
 .htm
 .html
 .sht
 .oft
 .msg
 .ods
 .stm
 .xls
 .jsp
 .wsh
 .xml
 .mht
 .mmf
 .nch
 .ppt

The worm spreads itself in e-mails It sends messages with different subject lines, body text and attachment names. Here's the list of subjects that the worm uses:

Hi
 Hello
 Re: Hi
 Re: Hello
 Approved
 Re: Approved
 Thank you!
 Re: Thanks you!
 Request
 Re: Request
 Your document
 Re: Your document
 Your details
 Re: Your details
 Your information
 Re: Your information
 My details
 Re: My details
 Important
 Re: Important

The message body is composed from 4 different string arrays:

Array1:

Hi!
 Hello!
 Hello!

Array2:

Please read the <string>.
 Please have a look at the <string>.
 Here is the <string>.
 The <string> is attached.
 Please see the <string>.
 I have sent the <string>.
 The requested <string> is attached!
 Here is the document.
 See the document for details.
 Please have a look at the attached document.
 Please read the attached document.
 Your file is attached to this mail.
 Please, <string>.
 Your <string> is attached.
 My <string> is attached.
 I have found the <string>.
 Approved, here is the document.
 For more information see the attached document.
 For more details see the attached document.
 Please read quickly.
 Please notice the attached document.
 Please notice the attached <string>.
 Your <string>.
 I have spent much time for your document.
 I have spent much time for the <string>.
 The <string>.
 My <string>.
 Note that I have attached your document.

Array3:

Thanks
 Thank you
 Yours sincerely

Array4:

+++ X-Attachment- document
 +++ X-Attachment-Status: no virus found
 +++ Powered by the new Panda OnlineAntiVirus
 +++ Website: www.pandasoftware.com
 +++ X-Attachment- document
 +++ X-Attachment-Status: no virus found
 +++ Powered by the new MCAfee OnlineAntiVirus
 +++ Homepage: www.mcafee.com
 +++ X-Attachment- document
 +++ X-Attachment-Status: no virus found
 +++ Powered by the new F-Secure OnlineAntiVirus
 +++ Visit us: www.f-secure.com
 +++ X-Attachment- document
 +++ X-Attachment-Status: no virus found
 +++ Powered by the new Norton OnlineAntiVirus
 +++ Free trial: www.norton.com

The attachment name is selected and the &lt;string&gt; value for the message body is selected from the following variants:

approved file
 list
 corrected document
 archive
 abuse list
 presentation document
 instructions
 details
 improved document
 note
 message
 contact list
 number list
 file
 secound document
 improved file
 user list
 textfile
 new document
 text
 information
 info
 word document
 excel document
 powerpoint document
 detailed document
 homepage
 letter
 mail
 document
 old document
 approved document
 movie document
 picture document
 summary
 description
 requested document
 notice
 bill
 answer
 release
 final version
 diggest
 important document
 order
 photo document
 personal message
 phone number
 e-mail
 icq number
 report
 story
 concept
 developement
 sample
 postcard
 account

The infected attachment has .PIF extension and can also contain random numbers in its name. The worm does not spread itself from 13th to 17th of April 2004.

Backdoor

The worm has a backdoor that listens on TCP port 6789. It allows to download and execute files on an infected computer.

Payload

Netsky.S has a payload. It performs a DoS (Denial of Service) attack on the following websites from 14th to 23rd of April 2004:

www.cracks.am
 www.emule.de
 www.kazaa.com
 www.freemule.net
 www.keygen.us

Additional Info

This worm variant also contains a message from the author of the worm. Bagle is not mentioned there and taking into account that Netsky doesn't uninstall Bagle any longer, we consider the war to be over (at least for now).






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More